Openfire

v5.0.5 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 19d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

collaboration jabber java openfire xmpp xmpp-server

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 9d

The User Group page now supports removing a user from a group.

Why it matters: Enables administrators to directly manage group memberships via the UI, improving operational efficiency for developers and SREs managing Openfire deployments.

Summary

AI summary

Fixed inability to remove a user from a group via the User Group page.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	'max users' count for MUC hidden when unlimited (0) 'max users' count for MUC hidden when unlimited (0) Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency
Dependency	Medium	BouncyCastle version upgraded from 1.78.1 to 1.84 BouncyCastle version upgraded from 1.78.1 to 1.84 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	MySQL Connector/J driver upgraded to 8.4.0 release MySQL Connector/J driver upgraded to 8.4.0 release Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Jetty webserver library upgraded to 12.0.35 release Jetty webserver library upgraded to 12.0.35 release Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	org.glassfish.jaxb:jaxb-runtime updated to latest 2.3.x line org.glassfish.jaxb:jaxb-runtime updated to latest 2.3.x line Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Postgresql driver updated to 42.7.11 Postgresql driver updated to 42.7.11 Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	User Group page now allows removing user from group User Group page now allows removing user from group Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	LDAP authentication logs correct exception on alternate base-DN failure LDAP authentication logs correct exception on alternate base-DN failure Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	PluginIconServlet sets HTTP Content-Type header for gif files PluginIconServlet sets HTTP Content-Type header for gif files Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	xffHostHeader values are now updated correctly xffHostHeader values are now updated correctly Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	ConnectionListener uses correct getter for self-signed certificates setting ConnectionListener uses correct getter for self-signed certificates setting Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Low	LDAP context‑close failures are logged without exception stack trace LDAP context‑close failures are logged without exception stack trace Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Bugfix	Low	MultiUserChatServiceImpl#setIdleUserTaskInterval now respects the provided value MultiUserChatServiceImpl#setIdleUserTaskInterval now respects the provided value Source: granite4.1:30b@2026-05-22-audit Confidence: low	—
Refactor	Medium	Removed disabled performance benchmark in IQEntityTimeHandlerTest Removed disabled performance benchmark in IQEntityTimeHandlerTest Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Newlines displayed in SecurityAuditManager event details Newlines displayed in SecurityAuditManager event details Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Corrected malformed link markup in upgrade guide (hre to href) Corrected malformed link markup in upgrade guide (hre to href) Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

5.0.5 -- May 15, 2026

Improvement

[OF-1499] - Do not show 'max users' count for a MUC when it is 0 (unlimited)
[OF-2503] - Display newlines in details of logged SecurityAuditManager events
[OF-3160] - Bump BouncyCastle.version from 1.78.1 to 1.84
[OF-3226] - LDAP context-close failures are logged without their exception stack trace
[OF-3246] - Upgrade MySQL Connector/J driver to 8.4.0 release
[OF-3247] - Upgrade Jetty webserver library to 12.0.35 release
[OF-3274] - Update org.glassfish.jaxb:jaxb-runtime to the latest of the 2.3.x line

Task

[OF-3230] - Disabled performance benchmark in IQEntityTimeHandlerTest should be removed or converted
[OF-3236] - Fix malformed link markup in upgrade guide (hre instead of href)
[OF-3265] - Update postgresql driver to 42.7.11
[OF-3270] - MultiUserChatServiceImpl#setIdleUserTaskInterval ignores value

Bug

[OF-3213] - A user's User Group page cannot be used to remove user from group
[OF-3225] - LDAP authentication logs the wrong exception when the alternate base-DN also fails
[OF-3255] - PluginIconServlet does not set HTTP Content-Type header for gif
[OF-3263] - xffHostHeader values not updated
[OF-3266] - Wrong getter used in ConnectionListenser#setAcceptSelfSignedCertificates

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Openfire

Get notified when new releases ship.

About Openfire

Real time collaboration (RTC) server.

All releases →